crypto

PortSmash Hyper-Threading Vuln Steals Decrypt Keys

PortSmash Hyper-Threading Vuln Steals Decrypt Keys

A new side-channel vulnerability has been found called PortSmash that uses a timing attack that to steal info from other processes running in the same CPU core with SMT/hyper-threading enabled.


Utilizing this attack, researchers were able to steal the private decryption key from an OpenSSL thread running in the same core as their exploit.crypto

For those that dont know, SMT/Hyper-threading is when one physical CPU core is split into two virtual logical cores that can be used two run two separate process threads at once.

This method can increase performance as the two threads will utilize idle CPU resources more efficiently to execute instructions faster.

A side channel timing attack is when an attacker analyzes how fast a thread executes particular instructions and utilizes that info to work backwards to discover what data was used as input.

The PortSmash vulnerability was discovered by researchers Billy Bob Brumley, Sohaib ul Hassan, Cesar Pereida Garcia, and Nicola Tuveri from the Tampere University of Technology in Finland as well as Alejandro Cabrera Aldaya from the Universidad Tecnologica de la Habana CUJAE in Cuba.

An advisory was made to the OSS-Sec mailing list and their research has been submitted as a paper titled “Port Contention for Fun and Profit” as a IACR eprint, which is currently awaiting moderation before it’s released.

In an email with the researchers, Nicola Tuveri explained to us that port contention was used to measure how long it took OpenSSL to perform an operation.

Using these measurements, the researchers were able to work backwards to recover a private key.

“Shortly and simplifying, with SMT and two threads per core, a process running on one thread will have its own instructions and data, but will share some hardware resources with a process running on the colocated thread.

Instructions will be decoded independently in simpler micro-operations and pipe-lined in the CPU to the corresponding Execution Units. (Execution Units are the actual silicon areas that are specialized to handle specific operations: i.e, there are a few EU dedicated to integer additions/subtraction, separate ones for integer multiplication, other for floating point arithmetic, etc.)

Every core has a complete set of EUs to support the whole instruction set, and threads on the same core share access to the EUs.

EUs are grouped together in bundles each accessible through a port: microops from the two threads are issued to the available ports, and another micro-component, the core scheduler, optimizes for fairness and performance when the same microop can be issued to different equivalent EUs behind different ports.

These ports are the object of the discussed port contention. Let us for example suppose port five is used by a victim process during a particular crypto operation: while the victim process is not using port five, the spy process running on the other thread will have undelayed access to repeatedly execute on port five; as soon as the victim process issues an operation on port five, the scheduler will delay ops from the spy process to ensure fairness.

The spy process can therefore measure the delay in the execution of its operations for port five, and determine when the victim process is using the same port.

This is the signal that can then be processed to ultimately recover a private key.” – stated Nicola Tuveri.

While the researchers have only tested this vulnerability against Intel Skylake and Kaby Lake processors, they also expect it to work on AMD Ryzen processors.

“We verified it on Intel Skylake and Kaby Lake, but just because we did not have access to different machines with SMT,” Nicola Tuveri told CBNN. “We expect it to work also on AMD Ryzen, but left this to future work.”

The researchers shared a proof-of-concept exploit that only targets OpenSSL. The team chose to target OpenSSL because they are familiar with the code base and because it is so widely used, but that the “PortSmash technique is not tied to a particular software.”

Therefore, it is only a matter of time until diligent researchers and attackers port the PoC to steal info from other apps.

Fixes for this attack have already been added to OpenSSL 1.1.1 and for those who need an older version, patches are available for versions >= 1.1.0i.

Protecting yourself from the PortSmash vulnerability

The only way to mitigate this attack is to disable SMT/Hyper-threading on a computer, which OpenBSD has already done by default since this summer when another timing attack was released called TLBleed.

“We recommend disabling SMT/Hyper-threading as a countermeasure. OpenBSD, for instance, already disables it by default since this summer.”

CBNN

No Comments

  1. http://stebrov.cz/diskus/viewtopic.php?f=4&t=4815 http://nsu-club.com/forum/viewtopic.php?f=10&t=270559 http://www.grandflagcompany.com/viewtopic.php?f=5&t=572636 https://www.bonaetforums.com/showthread.php?tid=43666 http://www.o2hau.com/forum/showthread.php?tid=24970 http://meanders.fr/forum/viewtopic.php?pid=82009#p82009 https://assuremoving.in/forum/viewtopic.php?pid=1244111#p1244111 http://motocykletorowe.pl/viewtopic.php?f=16&t=456145 http://forums.dgusa.org/viewtopic.php?pid=119251#p119251 http://www.pillowhost.com/forum/showthread.php?tid=48738 http://red-reciproca.es/viewtopic.php?f=7&t=10462 https://www.trade21forum.com/index.php?topic=232103.new https://www.burnleychat.co.uk/forum/showthread.php?tid=165934 https://www.trade21forum.com/index.php?topic=232102.new http://stebrov.cz/diskus/viewtopic.php?f=5&t=4816 http://www.vnedorog.ru/ipb/index.php?/topic/58458-69252012976551/ http://www.linco19735.nichost.ru/index.php?/topic/62999-495186293521596/ http://forum.vendlight.ru/viewtopic.php?f=3&t=28246 https://zadik.vip/forums/viewtopic.php?pid=555469#p555469 http://otdelka-msk.net/forum/viewtopic.php?pid=172422#p172422 https://lu-euro-agrar.de/viewtopic.php?f=3&t=192944 https://forum.theboongers.com/viewtopic.php?f=4&t=345535 http://midmomtb.com/viewtopic.php?f=8&t=942472 http://tsreader.com/forum/viewtopic.php?f=2&t=313011&sid=4ee1f7a4c807c2ade6fe10c86692c284 http://arvester.ru/forum/viewtopic.php?f=4&t=758706
    http://lungsuan.chumporn.police.go.th/board/index.php?topic=306140.new#new 5426 http://www.moremusic.es/forum/viewthread.php?thread_id=54773 69526 http://www.stellar-impact.com/forum/viewtopic.php?f=3&t=1057501 92236 http://www.my-trinity.com/forum/showthread.php?p=1211918#post1211918 33533 https://hotforum.top/Thread-%D0%A1%D0%9C%D0%9E%D0%A2%D0%A0%D0%95%D0%A2%D0%AC-%D0%A2%D0%92-%D0%9E%D0%9D%D0%9B%D0%90%D0%99%D0%9D-%D0%97%D0%90%D0%A5%D0%90%D0%A0-%D0%91%D0%95%D0%A0%D0%9A%D0%A3%D0%A2-%D0%A1%D0%9C%D0%9E%D0%A2%D0%A0%D0%95%D0%A2%D0%AC-%D0%9E%D0%9D%D0%9B%D0%90%D0%99%D0%9D-2020-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%BA%D0%B8%D0%BD%D0%BE%D1%82%D0%B5%D0%B0%D1%82%D1%80%D1%8B 13810 https://forum.msk24city.ru/viewtopic.php?f=2&t=667420 51574 http://pjv.us/fluxbb-karen/viewtopic.php?pid=1289785#p1289785 80886 http://ptsd-assistance.com/forum/viewtopic.php?f=4&t=200187 57706 http://www.joenna.cc/bbs/viewtopic.php?pid=1286033#p1286033 17718 http://www.joenna.cc/bbs/viewtopic.php?pid=1286032#p1286032 60640 http://www.annapascobolta.com/forum/viewtopic.php?f=7&t=112109 54525 http://babydecorideas.club/showthread.php?tid=4376 61018 https://memorythreads.com.au/school-ski-trip-australia-vs-new-zealand/?unapproved=36139&moderation-hash=e7fac45d21d82c02443417721df07c9f#comment-36139 31677 https://czechurbex.cz/viewtopic.php?pid=906725#p906725 40323 http://bilgatus.de/forum/showthread.php?tid=76109 19238 http://kninf.wsei.lublin.pl/viewtopic.php?f=2&t=589699 25262 http://politics.up.ac.th/boardpoliticalnews/viewtopic.php?f=2&t=691177 68404
    http://www.forum.ultima.net.ua/index.php?/topic/388454-horoshij-film-%D1%84%D1%96%D0%BB%D1%8C%D0%BC-%D0%B7%D0%B0%D1%85%D0%B0%D1%80-%D0%B1%D0%B5%D1%80%D0%BA%D1%83%D1%82-2020-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%B4%D0%B8%D0%B2%D0%B8%D1%82%D0%B8%D1%81%D1%8F-%D1%84%D1%96%D0%BB%D1%8C%D0%BC%D0%B8-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%B2-%D1%85%D0%BE%D1%80%D0%BE%D1%88%D1%96%D0%B9-%D1%8F%D0%BA%D0%BE%D1%81%D1%82%D1%96/ 69795 http://motocykletorowe.pl/viewtopic.php?f=16&t=453164 52341 http://battleleet.com/index.php?/topic/319914-%D1%81%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C-%D1%84%D0%B8%D0%BB%D1%8C%D0%BC%D1%8B-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%B7%D0%B0%D1%85%D0%B0%D1%80-%D0%B1%D0%B5%D1%80%D0%BA%D1%83%D1%82-%D1%84%D0%B8%D0%BB%D1%8C%D0%BC-2020-%D1%81%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D1%83%D0%BA%D1%80%D0%B0%D1%97%D0%BD%D1%81%D1%8C%D0%BA%D0%BE%D1%8E-%D0%BC%D0%BE%D0%B2%D0%BE%D1%8E-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD/ 57977 https://robotics-forum.eu/viewtopic.php?f=2&t=322731 68931 http://simpinv.com/bbs/forum.php?mod=viewthread&tid=539381&extra= 19636 http://trep.kz/showthread.php?419709-Filmy-novinki-%D0%A1%D0%83%D0%A0%D1%98%D0%A0%D1%95%D0%A1%E2%80%9A%D0%A1%D0%82%D0%A0%C2%B5%D0%A1%E2%80%9A%D0%A1%D0%8A-%D0%A1%E2%80%9E%D0%A0%D1%91%D0%A0%C2%BB%D0%A1%D0%8A%D0%A0%D1%98-%D0%A0%C2%B7%D0%A0%C2%B0%D0%A1%E2%80%A6%D0%A0%C2%B0%D0%A1%D0%82-%D0%A0%C2%B1%D0%A0%C2%B5%D0%A1%D0%82%D0%A0%D1%94%D0%A1%D1%93%D0%A1%E2%80%9A-2020-(2020)-%D0%A1%D1%93%D0%A0%D1%94%D0%A1%D0%82%D0%A0%C2%B0%D0%A1%E2%80%94%D0%A0%D0%85%D0%A1%D0%83%D0%A1%D0%8A%D0%A0%D1%94%D0%A0%D1%95%D0%A1%D0%8B-%D0%A0%D1%95%D0%A0%D0%85%D0%A0%C2%BB%D0%A0%C2%B0%D0%A0%E2%84%96%D0%A0%D0%85&p=842361#post842361 48513 http://midmomtb.com/viewtopic.php?f=8&t=935289 94855 http://su-27rc.ru/phpbb/viewtopic.php?f=6&t=375658 11608 http://su-27rc.ru/phpbb/viewtopic.php?f=6&t=375659 60964 http://forum.frostwolf.xyz/showthread.php?tid=5948&pid=14023#pid14023 75975 http://stebrov.cz/diskus/viewtopic.php?f=4&t=79987&p=1060255#p1060255 91958 http://bis-zum-tod.eu/phpbb3/viewtopic.php?f=7&t=515912 97367 http://pjv.us/fluxbb-karen/viewtopic.php?pid=1289783#p1289783 73671 https://draftarticle.com/forum/index.php?topic=69999.new#new 69698 http://fhsy.edu.sa/vb/showthread.php?p=652232&posted=1#post652232 52452 https://dankgaminginc.com/showthread.php?tid=1169&pid=364298#pid364298 81989 http://forum.ehudima.co.il/viewtopic.php?f=43&t=9188 36482 http://forum.physible.ir/showthread.php?199389-pmnel&p=492024&posted=1#post492024 85744 http://coolstf.com/forum/viewtopic.php?f=2&t=307563&sid=f7664a50f0889ead349e202de9def2d6 2317 https://steam-akk.ru/showthread.php?t=317683&p=506754#post506754 44549 http://nauc.info/forums/viewtopic.php?f=3&t=12582838 28952 http://bilgatus.de/forum/showthread.php?tid=76110 40307 http://nsu-club.com/forum/viewtopic.php?f=10&t=269146 72571 http://starbound.terrasquare.fr/forum/viewtopic.php?f=38&t=59284 42248 http://www.matt-ben.com/forums/viewtopic.php?f=4&t=293679 83329 http://www.abilitatitfa.it/smf/index.php?topic=551634.new#new 80278 http://kninf.wsei.lublin.pl/viewtopic.php?f=2&t=589700 44518 http://forum.andreapp.com/viewtopic.php?f=9&t=780032 11126 http://www.chryslerclub.su/forum/viewtopic.php?f=30&t=501614 70154 http://ptsd-assistance.com/forum/viewtopic.php?f=4&t=200188 46204 http://huntretriever.ru/forum/viewtopic.php?f=8&t=177399 90579 http://uc.infinix.club/forum.php?mod=viewthread&tid=1387707&pid=9403912&page=103&extra=page%3D1#pid9403912 48848 http://188.128.165.51/forum_Asdasd/viewtopic.php?f=25&t=385198 21795 http://forum.ehudima.co.il/viewtopic.php?f=43&t=9189 46909 https://westhamforum.roberthart.umasscreate.net/viewtopic.php?pid=245304#p245304 58503 http://www.marvid.biz/showthread.php?tid=112580&pid=323281#pid323281 80270
    http://forum.mo-aksarka.ru/viewtopic.php?pid=242995#p242995 63332 http://www.promnet.ru/forum/viewtopic.php?f=45&t=596132 98657 http://vbtest.web-venture-bcn.es/main-forum/35452-filmy-2020-smotret-onlajn-%D0%B7%D0%B0%D1%85%D0%B0%D1%80-%D0%B1%D0%B5%D1%80%D0%BA%D1%83%D1%82-%D1%81%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C-2020-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%BA%D0%B8%D0%BD%D0%BE%D1%82%D0%B5%D0%B0%D1%82%D1%80%D1%8B.html#post399290 59476 https://www.bjpforums.com/showthread.php?tid=20956&pid=36634#pid36634 40905 http://community.galak-z.com/viewtopic.php?f=2&t=645984 4790 http://l2overgame.com/forum/showthread.php?tid=355714 65955 http://www.nasdaqotc.com/viewtopic.php?t=157358 49167 http://forum.zfms.ru/viewtopic.php?f=10&t=288340 58572 https://andsomegames.co.uk/2019/11/11/hello-world/?unapproved=199347&moderation-hash=b334749ac472099ade410648979d957b#comment-199347 49945 http://cskurnik.eu/showthread.php?tid=856036&pid=1653926#pid1653926 1910 http://www.stellar-impact.com/forum/viewtopic.php?f=17&t=1057507 21080 http://forums.cacheonix.org/viewtopic.php?f=2&t=326149 46832 http://72.167.212.211/forum/index.php?topic=124842.new#new 69209 https://forums.dynmap.us/viewtopic.php?f=6&t=364336 38365 http://foro.vigilanciatecnologicarvt2.org/phpbb/viewtopic.php?f=9&t=640322 63272 http://188.128.165.51/forum_Asdasd/viewtopic.php?f=25&t=385199 94497 https://www.redmascota.com.mx/foro/showthread.php?tid=1&pid=104253#pid104253 99214 http://coolstf.com/forum/viewtopic.php?f=2&t=307564&sid=03b25377528d3f8e452460dffe6c85fb 97285 https://czechurbex.cz/viewtopic.php?pid=906732#p906732 77085 http://www.opteragame.com/forum/viewtopic.php?f=3&t=600623 35438 http://www.stellar-impact.com/forum/viewtopic.php?f=17&t=1057506 94856 http://www.fvmud.com/forum/viewtopic.php?f=18&t=155211 96680 http://www.babyledweaning.de/viewtopic.php?f=10&t=511451 25720 http://forums.hobbyshop247.com/viewtopic.php?f=22&t=36206 26271 http://uhohmom.com/forum/viewtopic.php?f=4&t=77193 32617 http://handball.se-leistungssport.de/viewtopic.php?f=2&t=338186 61665 http://mupp.it/forum/viewtopic.php?f=2&t=663401&sid=d3cd936ca201d57dcd968f2a6335a6bb 40660 http://kninf.wsei.lublin.pl/viewtopic.php?f=2&t=589702 42453 http://xenile.com/forum/viewtopic.php?f=1&t=1201699 69527 http://xenile.com/forum/viewtopic.php?f=1&t=1201701 43917 http://stebrov.cz/diskus/viewtopic.php?f=10&t=436168 89272 http://su-27rc.ru/phpbb/viewtopic.php?f=6&t=375660 72771 http://educacionfinanciera.sib.gob.do/forum/viewtopic.php?f=4&t=3612 65519 http://forums.accounting-pro.ie/viewtopic.php?f=9&t=138434 47316 http://runeline.com/forum/index.php?/topic/145410-%D1%81%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%B7%D0%B0%D1%85%D0%B0%D1%80-%D0%B1%D0%B5%D1%80%D0%BA%D1%83%D1%82-%D1%84%D0%B8%D0%BB%D1%8C%D0%BC-2020-%D1%81%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%B4%D0%B8%D0%B2%D0%B8%D1%81%D1%8C-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD/ 93588 http://kydaoquan.com/showthread.php?p=393984#post393984 23356
    http://xenile.com/forum/viewtopic.php?f=1&t=1201702 51415 https://stubnac.com/forum/viewtopic.php?f=10&t=99027 58657 https://draftarticle.com/forum/index.php?topic=1785.msg32986#msg32986 5823 https://forum.veritabani.gen.tr/showthread.php?tid=1007 23422 http://www.linco19735.nichost.ru/index.php?/topic/60770-%D1%81%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-720-%D1%84%D1%96%D0%BB%D1%8C%D0%BC-%D0%B7%D0%B0%D1%85%D0%B0%D1%80-%D0%B1%D0%B5%D1%80%D0%BA%D1%83%D1%82-2020-%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD-%D0%B4%D0%B8%D0%B2%D0%B8%D1%82%D0%B8%D1%81%D1%8F-%D1%84%D0%B8%D0%BB%D1%8C%D0%BC%D1%8B-%D1%81-%D1%83%D0%BA%D1%80%D0%B0%D0%B8%D0%BD%D1%81%D0%BA%D0%BE%D0%B9-%D0%BE%D0%B7%D0%B2%D1%83%D1%87%D0%BA%D0%BE%D0%B9/ 60315 https://forum.theboongers.com/viewtopic.php?f=4&t=343620 84537 http://etnalandunit.altervista.org/forum/showthread.php?tid=324582 38413 http://forum.warofgalaxy.eu/viewtopic.php?f=15&t=21933 44973 http://forums.cacheonix.org/viewtopic.php?f=2&t=326152 14603 http://www.simpinv.com/bbs/forum.php?mod=viewthread&tid=539382&extra= 95537 http://forumkamu.com/showthread.php?tid=461997 59666 http://sun-kg.org/forum/viewtopic.php?f=2&t=953639 23127 http://ohs.edu.vn/showthread.php?26711-Film-2020-%D1%80%E2%80%94%D1%80%D1%92%D1%80%D2%90%D1%80%D1%92%D1%80*-%D1%80%E2%80%98%D1%80%E2%80%A2%D1%80*%D1%80%D1%99%D1%80%D0%88%D1%80%D1%9E-%D1%80%C2%A4%D1%80%C2%98%D1%80%E2%80%BA%D1%80%C2%AC%D1%80%D1%9A-2020-%D1%80%D0%8E%D1%80%D1%9A%D1%80%D1%9B%D1%80%D1%9E%D1%80*%D1%80%E2%80%A2%D1%80%D1%9E%D1%80%C2%AC-%D1%80%D1%9B%D1%80%D1%9C%D1%80%E2%80%BA%D1%80%D1%92%D1%80%E2%84%A2%D1%80%D1%9C-%D1%81%D1%93%D1%80%D1%94%D1%81%D0%82%D1%80%C2%B0%D1%81%E2%80%94%D1%80%D0%85%D1%81%D0%83%D1%81%D0%8A%D1%80%D1%94%D1%80%D1%91%D1%80%E2%84%96-%D1%81%E2%80%9E%D1%81%E2%80%93%D1%80%C2%BB%D1%81%D0%8A%D1%80%D1%98&p=66930#post66930 99554 http://kydaoquan.com/showthread.php?p=393983&posted=1#post393983 38691 http://www.my-trinity.com/forum/showthread.php?p=1211925#post1211925 89180 http://forums.accounting-pro.ie/viewtopic.php?f=9&t=138437 29684 https://forum.scarry-world.ru/index.php?threads/%D0%A1%D0%B5%D1%80%D0%B2%D0%B5%D1%80-%D0%A1%D1%80%D0%BE%D1%87%D0%BD%D0%BE-%D0%90%D0%B4%D0%BC%D0%B8%D0%BD%D1%8B.53/page-1365#post-62104 8184 http://innova-ocular.com/intranet/forum/display_topic_threads.asp?ForumID=1&TopicID=38115&PagePosition=1&ThreadPage=1 40770 https://www.etheracide.net/index.php/forum-home/the-songs/683-tank-drum-432-hz-hanky-panky-underwear-spacedrum-vendita-steel-tongue-cleaner?start=696#2786 2264 https://forum.blocksplode.com/showthread.php?tid=208021 78881 https://robotics-forum.eu/viewtopic.php?f=2&t=322732 92812 http://sewertalk.com/viewtopic.php?f=44&t=552580 46799 http://whatthefle.unistra.fr/forum/showthread.php?tid=316713 46926 http://www.iptv-one.net/viewtopic.php?f=31&t=647827 11211 http://www.my-trinity.com/forum/showthread.php?p=1211926#post1211926 34112 http://football66.ru/forum/viewtopic.php?f=5&t=466526 93457 https://www.forum.kerb2007.de/viewtopic.php?f=8&t=16700 58172 http://digitizing.cn/bbs/viewtopic.php?f=8&t=87217 98857 http://theloungeog.com/showthread.php?tid=13587&pid=91149#pid91149 72532 http://compagnonsdarmes.fr/viewtopic.php?f=18&t=231485 14122 https://forum.battlezone.lv/showthread.php?tid=18512&pid=111013#pid111013 41966 http://www.psnow.es/foro/viewtopic.php?f=19&t=281305 54836 http://limedecorators.com/forum/showthread.php?tid=250143 29530 https://stretco.sk/forum/viewtopic.php?f=15&t=118073 57509 http://limedecorators.com/forum/showthread.php?tid=250144 16665 http://77.247.182.3/forum/viewtopic.php?f=1&t=948450 13199

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.